Cyber Security in Kenya: Laws, Threats, and How to Protect Your Business Online

Kenya detected over 2.54 billion cyber threat incidents in the first quarter of 2025, with businesses losing an estimated KES 29.9 billion (USD 230 million) to cybercrime annually. As Africa's leading tech hub, Kenya's rapid digital transformation — from M-Pesa transactions to cloud-based business systems — has created a massive attack surface for cybercriminals. From phishing and ransomware to SIM-swap fraud and data breaches, the threats are real and growing. This guide covers Kenya's cybersecurity laws, the most common threats targeting businesses, and practical protection strategies every Kenyan business owner must implement.

Kenya's Cybersecurity Legal Framework

Kenya has developed one of Africa's most comprehensive cybersecurity legal frameworks, anchored by three key pieces of legislation.

Computer Misuse and Cybercrimes Act 2018 (CMCA): This is Kenya's primary cybercrime law, criminalising unauthorised access to computer systems, data interference, cyber espionage, identity theft, phishing, and publication of false information. The Act established the National Computer and Cybercrime Coordination Committee (NC4), which coordinates cybersecurity efforts across 11 government agencies. The 2024 Amendment Act strengthened provisions against SIM-swap fraud, online harassment, and deepfake content, imposing penalties of up to KES 20 million or 10 years imprisonment for serious cybercrimes.

Data Protection Act 2019: Modelled on the EU's GDPR, this Act regulates how businesses collect, process, store, and share personal data. The Office of the Data Protection Commissioner (ODPC) enforces compliance. Non-compliance can result in fines of up to KES 5 million or 1 percent of annual turnover, and responsible individuals may face up to two years imprisonment. Every business that processes personal data must register with the ODPC and implement appropriate data protection measures.

Critical Information Infrastructure Regulations 2024: Published as Legal Notice No. 44 of 2024, these regulations require organisations managing critical infrastructure (banking, telecommunications, healthcare, energy) to appoint a Chief Information Security Officer (CISO), conduct annual cyber risk assessments, and report incidents to the KE-CIRT/CC within 24 hours.

Common Cyber Threats Facing Kenyan Businesses

Phishing and social engineering: Approximately 90 percent of cyberattacks begin with phishing — fraudulent emails, SMS messages, or phone calls (vishing) designed to trick employees into revealing passwords, financial information, or clicking malicious links. Phishing and vishing account for 36.7 percent of all cyber threats in Kenya, with attackers increasingly targeting M-Pesa business accounts, banking credentials, and email systems.

Ransomware: Ransomware attacks encrypt business data and demand payment for its release. Kenya's healthcare sector experienced a 95 percent increase in ransomware incidents in 2024, but businesses across all sectors are targets. Ransomware groups target critical systems knowing that downtime costs force many victims to pay. Average ransom demands in East Africa range from USD 10,000 to USD 500,000 depending on business size.

SIM-swap fraud: Criminals convince mobile operators to transfer a victim's phone number to a new SIM card, gaining access to M-Pesa, bank accounts, and two-factor authentication codes. Kenya's 2024 CMCA amendment specifically targets this crime with enhanced penalties. Business email compromise (BEC): Attackers impersonate executives or suppliers via email to redirect payments or extract sensitive information — a growing threat for Kenyan businesses with international trading partners.

How to Protect Your Business

Cybersecurity is not just an IT problem — it is a business survival issue. Implement these measures regardless of your company size.

Employee training: Your staff are your first line of defence and your biggest vulnerability. Conduct regular cybersecurity awareness training covering phishing recognition, password hygiene, social engineering tactics, and safe browsing. Simulate phishing attacks to test employee readiness. Multi-factor authentication (MFA): Enable MFA on all business accounts — email, banking, cloud services, and social media. This single measure blocks over 99 percent of automated attacks. Regular software updates: Patch all operating systems, applications, and firmware promptly. Unpatched systems are the primary entry point for malware and ransomware.

Data backup strategy: Maintain comprehensive offline backups following the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offline or off-site. Test backup restoration regularly. Network security: Deploy properly configured firewalls, antivirus software, and intrusion detection systems. Implement zero-trust network segmentation so that a breach in one system does not compromise your entire network. Incident response plan: Document procedures for detecting, containing, and recovering from cyber incidents. Know who to contact — report incidents to the National KE-CIRT/CC (hotline: +254-703-042700) and file complaints with the DCI Cybercrime Unit.

Data Protection Compliance for Businesses

Under the Data Protection Act 2019, every Kenyan business that collects customer data must: register with the ODPC as a data controller or processor, obtain explicit consent before collecting personal data, implement appropriate technical and organisational security measures, notify the ODPC of data breaches within 72 hours, appoint a Data Protection Officer if processing large volumes of sensitive data, and conduct Data Protection Impact Assessments for high-risk processing activities. Compliance is not optional — the ODPC has begun enforcement actions, and customers are increasingly aware of their data rights.

Cybersecurity Insurance and Professional Services

Consider purchasing cyber insurance to cover financial losses from data breaches, ransomware attacks, business interruption, and legal liability. Several Kenyan insurers now offer cyber risk policies. For businesses without in-house IT security expertise, engage managed security service providers (MSSPs) who offer 24/7 monitoring, vulnerability assessments, and incident response. The investment in professional cybersecurity services is minimal compared to the potential cost of a major breach — which averages USD 4.45 million globally and can destroy small businesses entirely. In Kenya's increasingly digital economy, cybersecurity is not an expense but a fundamental business requirement.